SQL Injection Types – How To Test SQL Injection Manually
- September 5, 2019
- Posted by: Softvity
- Category: Web Development
SQL injection is a code injection technique used to hack websites, attack data applications, destroy databases by inserting malicious SQL statements into input boxes for execution (for example, downloading database-driven content into a database). These declarations control a database server behind a web application.
Impacts of a SQL Injection Attack
SQL injection attacks are one of the oldest, most frequent and most dangerous web application vulnerabilities. A SQL injection vulnerability can affect any application or website that uses an SQL database such as MySQL, Oracle, SQL Server or other.
- Attackers can use SQL injection vulnerabilities to breach application security measures.
- The authentication and authorization of a web or web application can be crashed and the contents of the entire SQL database can be recovered.
- Hackers can add, modify and delete records in the database using SQL injection.
- Criminals can use to gain unauthorized access to sensitive data: customer information, personal data, trade secrets, intellectual property and more.
Types of SQL Injection
SQL injection can be used in different ways to cause serious problems. By taking advantage of SQL injection, an attacker could ignore authentication and can access, modify, and delete data within a database. In some cases, SQL injection can even be used to execute commands in the operating system, potentially allowing the attacker to become more harmful to attack within a network behind a firewall.
#1- In-band SQLi (Classic SQLi)
In-band SQL injection is the most common and easy-to-take-advantage kind of SQL injection attacks. It occurs when an attacker uses the same communication channel to launch the attack as well as to get results. The two most common types of in-band SQL Injection are Error-Based SQLi and Union-Based SQLi.
- Error-based SQLi: Error-based SQLi is an in-band SQL injection technique based on error messages. In some cases, error-based SQL injection is sufficient to allow an attacker to enumerate a complete database. Although errors are very useful during a web application, they should be disabled on an active site.
- Union-based SQLi: Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.
#2- SQLi Inferential (Blind SQLi)
The inferential injection of SQL, unlike SQLi in-band, may take longer to attack, however it is just as dangerous as any other form of SQLi. In an inferential SQLi attack, the data is not actually transferred via the web application thus, the attacker cannot see the result of the attack within the band (so these attacks are commonly referred to as “Blind SQL Injection Attacks”). Instead, the attacker can rebuild the database structure by sending payloads, observing the response of the web application and the resulting behavior of the database server.
There are two types of inferential SQL injection as described below-
- Boolean based blind SQL (based on content): Boolean SQL injection is an inferential SQL inference technique based on sending an SQL query to the database that forces the application to return different outcomes depending on whether the query returns a TRUE or FALSE result. Depending on the result, the content within the HTTP response will either change or remain the same.
- This allows an attacker to infer if the payload used returned true or false, even if no data is returned from the database.
- This attack is usually slow (especially in large databases) because an attacker would have to list a database, character by character.
- Time-based SQLi: Time-based SQL injection is an inferential SQL injection technique based on sending a SQL query to the database that forces the database to wait for a specific time (in seconds) before responding. The response time will indicate to the attacker if the query result is TRUE or FALSE.
Examples of SQL Injection
Authentication Bypass:
It shows how an attacker can use a SQL Injection vulnerability to control the security of the application and authenticate as an administrator.
The following script is executed on a web server. It is an example of authentication with a username and password. The sample database has a table called users with the following columns: username and password.